{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T14:25:48.631","vulnerabilities":[{"cve":{"id":"CVE-2023-53659","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-07T16:15:49.573","lastModified":"2026-02-03T19:52:28.803","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix out-of-bounds when setting channels on remove\n\nIf we set channels greater during iavf_remove(), and waiting reset done\nwould be timeout, then returned with error but changed num_active_queues\ndirectly, that will lead to OOB like the following logs. Because the\nnum_active_queues is greater than tx/rx_rings[] allocated actually.\n\nReproducer:\n\n  [root@host ~]# cat repro.sh\n  #!/bin/bash\n\n  pf_dbsf=\"0000:41:00.0\"\n  vf0_dbsf=\"0000:41:02.0\"\n  g_pids=()\n\n  function do_set_numvf()\n  {\n      echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n      sleep $((RANDOM%3+1))\n      echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n      sleep $((RANDOM%3+1))\n  }\n\n  function do_set_channel()\n  {\n      local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n      [ -z \"$nic\" ] && { sleep $((RANDOM%3)) ; return 1; }\n      ifconfig $nic 192.168.18.5 netmask 255.255.255.0\n      ifconfig $nic up\n      ethtool -L $nic combined 1\n      ethtool -L $nic combined 4\n      sleep $((RANDOM%3))\n  }\n\n  function on_exit()\n  {\n      local pid\n      for pid in \"${g_pids[@]}\"; do\n          kill -0 \"$pid\" &>/dev/null && kill \"$pid\" &>/dev/null\n      done\n      g_pids=()\n  }\n\n  trap \"on_exit; exit\" EXIT\n\n  while :; do do_set_numvf ; done &\n  g_pids+=($!)\n  while :; do do_set_channel ; done &\n  g_pids+=($!)\n\n  wait\n\nResult:\n\n[ 3506.152887] iavf 0000:41:02.0: Removing device\n[ 3510.400799] ==================================================================\n[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536\n[ 3510.400823]\n[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G           O     --------- -t - 4.18.0 #1\n[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 3510.400835] Call Trace:\n[ 3510.400851]  dump_stack+0x71/0xab\n[ 3510.400860]  print_address_description+0x6b/0x290\n[ 3510.400865]  ? iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400868]  kasan_report+0x14a/0x2b0\n[ 3510.400873]  iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400880]  iavf_remove+0x2b6/0xc70 [iavf]\n[ 3510.400884]  ? iavf_free_all_rx_resources+0x160/0x160 [iavf]\n[ 3510.400891]  ? wait_woken+0x1d0/0x1d0\n[ 3510.400895]  ? notifier_call_chain+0xc1/0x130\n[ 3510.400903]  pci_device_remove+0xa8/0x1f0\n[ 3510.400910]  device_release_driver_internal+0x1c6/0x460\n[ 3510.400916]  pci_stop_bus_device+0x101/0x150\n[ 3510.400919]  pci_stop_and_remove_bus_device+0xe/0x20\n[ 3510.400924]  pci_iov_remove_virtfn+0x187/0x420\n[ 3510.400927]  ? pci_iov_add_virtfn+0xe10/0xe10\n[ 3510.400929]  ? pci_get_subsys+0x90/0x90\n[ 3510.400932]  sriov_disable+0xed/0x3e0\n[ 3510.400936]  ? bus_find_device+0x12d/0x1a0\n[ 3510.400953]  i40e_free_vfs+0x754/0x1210 [i40e]\n[ 3510.400966]  ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 3510.400968]  ? pci_get_device+0x7c/0x90\n[ 3510.400970]  ? pci_get_subsys+0x90/0x90\n[ 3510.400982]  ? pci_vfs_assigned.part.7+0x144/0x210\n[ 3510.400987]  ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.400996]  i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 3510.401001]  sriov_numvfs_store+0x214/0x290\n[ 3510.401005]  ? sriov_totalvfs_show+0x30/0x30\n[ 3510.401007]  ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.401011]  ? __check_object_size+0x15a/0x350\n[ 3510.401018]  kernfs_fop_write+0x280/0x3f0\n[ 3510.401022]  vfs_write+0x145/0x440\n[ 3510.401025]  ksys_write+0xab/0x160\n[ 3510.401028]  ? __ia32_sys_read+0xb0/0xb0\n[ 3510.401031]  ? fput_many+0x1a/0x120\n[ 3510.401032]  ? filp_close+0xf0/0x130\n[ 3510.401038]  do_syscall_64+0xa0/0x370\n[ 3510.401041]  ? page_fault+0x8/0x30\n[ 3510.401043]  entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 3510.401073] RIP: 0033:0x7f3a9bb842c0\n[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d \n---truncated---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.82","versionEndExcluding":"5.10.188","matchCriteriaId":"BF059936-16B7-424A-A237-C454DFEB0CD9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.5","versionEndExcluding":"5.15.123","matchCriteriaId":"782C300D-5506-453A-9EF5-D653DBCBA571"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16.1","versionEndExcluding":"6.1.42","matchCriteriaId":"744AF53E-2FD7-4E50-A803-B05322440431"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.4.7","matchCriteriaId":"60A1A1ED-EA6C-42F6-80D3-3316DC7608C7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*","matchCriteriaId":"FF588A58-013F-4DBF-A3AB-70EC054B1892"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*","matchCriteriaId":"A73429BA-C2D9-4D0C-A75F-06A1CA8B3983"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*","matchCriteriaId":"F621B5E3-E99D-49E7-90B9-EC3B77C95383"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*","matchCriteriaId":"F7BFDCAA-1650-49AA-8462-407DD593F94F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:*","matchCriteriaId":"6EC9882F-866D-4ACB-8FBC-213D8D8436C8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*","matchCriteriaId":"8A0915FE-A4AA-4C94-B783-CF29D81E7E54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc7:*:*:*:*:*:*","matchCriteriaId":"4EAC2750-F7C6-4A4E-9C04-1E450722B853"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc8:*:*:*:*:*:*","matchCriteriaId":"ED611C74-E83A-4AFA-8688-9B829C02B038"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*","matchCriteriaId":"0B3E6E4D-E24E-4630-B00C-8C9901C597B0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*","matchCriteriaId":"E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0fb37ce6c01e17839e26d03222f0b44e6a3ed2b9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/65ecebc9ac09427b2c65f271cd5e5bd536c3fe38","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6e1d8f1332076a002e6d910d255aa5903d341c56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7c4bced3caa749ce468b0c5de711c98476b23a52","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b92defe4e8ee86996c16417ad8c804cb4395fddd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}